How Banks Can More Intelligently Address Cyber Crime and Business Risk

The scale of cybercrime is already astounding, and it’s still growing. Millions of successful and attempted cyber incidents occur in the US each year, sending millions of users’ personal information into the hands of criminals and resulting in billions of dollars in costs and lost revenues. These criminals have evolved and organised to the point where they have a wide-ranging arsenal of tricks and techniques at their disposal. These include fake mobile applications, phishing emails, fraudulent website domains and, increasingly, social media activity. Attacks can come from literally any online direction or channel, and sophisticated attacks regularly combine several of these activities into a single, criminal campaign.

In a recently published report on cybercrime, the Ponemon Institute found that US financial institutions (FIs) suffered an average loss of US$23.6m in 2013 because of cybercrime – the highest figure of any industry. Banks, credit unions, savings associations and other financial firms regardless of their size are attractive targets to modern-day Willie Suttons. In addition to these tangible financial losses, FIs increasingly find that their businesses are harmed by reputational loss or brand damage.

Each online, social or mobile channel is a portal to a world of information, but each one is also ripe with potential vulnerabilities that could be exploited and expose organisations to serious risk. With so many threats at their doorsteps, FIs must continuously monitor for threatening activities across all online channels, identifying those incidents that could have a detrimental impact on their brand and then neutralising them before they reach critical mass. Failure to do so could lead to not just a damaged brand reputation, but also customer dissatisfaction, increased churn and a dramatic blow to their bottom lines.

Thanks in part to common sense, bolstered by regulatory requirements, today nearly every FI has some sort of anti-phishing protection in place, most often led and managed by security operations teams. Some banks have begun to search online for counterfeit domains, and/or stolen credit card information, but too often these efforts are ad hoc initiatives, departmentally siloed, with very little information sharing between teams.

Following guidance from the Federal Financial Institutions Examination Council (FFIEC), it’s clear that the time has come for FI to focus more on cyber criminals’ increasingly preferred platform: social media.

Social Media: The New Frontier of Cybercrime

The appeal of social media for FIs is clear. They can create a dynamic, conversational brand voice through these online channels, while using platforms for general marketing of products and services, document distribution, feedback solicitation and customer service. As the US Institute of Internal Auditors (IIA) states, it offers an opportunity to “attract, engage and retain” customers.

However, social media is a particularly troublesome arena for FIs as they develop cyber defence plans. Why is this?

First, the logistics of social media compliance and threat monitoring is difficult to manage. A brand might have a presence on Facebook, Twitter, LinkedIn, YouTube and elsewhere. Each platform needs to be monitored constantly. But, some organisations lack the resources needed to protect every computer and mobile device, hire an in-house IT team, or properly educate employees about cyber security.

Second, social media issues can arise completely outside of an institution’s oversight. Through social media, any individual can make a statement, misstatement or disclosure that can have tremendous public relations, compliance or regulatory impact on an institution’s operations. Thankfully, broad, spectacular security breaches involving major banks are few and far between, but everyday bank customers come under attack from social media and social engineering schemes, initiated by criminals who often reside on foreign shores.

Today, social media-based cybercrime ranks behind other kinds of cybercrime, such as phishing, on a typical FI’s list of concerns. In a survey of BrandProtect banking customers, 87% of respondents cited phishing, 80% cited identity theft and 73% cited brand abuse as the most common threats to their brand. Social media occupies the fourth spot on this list, with 67% of institutions surveyed declaring that they were concerned about social media threats potentially creating vulnerability.

The ‘Lockstep’ Efforts of the Public and Private Sector

Yet there is little doubt that social media is rapidly rising on the list of security concerns. In late 2013, the FFIEC issued formal guidance to banks, credit unions, savings associations and other FIs that face rapidly evolving, complex threats as a result of their social media activity. The McAfee Labs
‘2014 Threats Predictions’
report declared that attacks through social media would become ‘ubiquitous’ by the end of this year, with some of the most common attacks being ‘fake flag’ requests for passwords from imposters.

Last month the US Securities and Exchange Commission (SEC) sponsored a roundtable discussion to highlight the threats to financial entities, during which time chair Mary Jo White said that “the public and private sectors must be riveted in lockstep in addressing these threats.”

The FFIEC did not intend for its social media guidance to produce a chilling effect on FIs, nor practically could it as the online economy, social media, and mobile applications are here to stay. Instead, the FFIEC has tried to suggest a set of best practices for online monitoring and managing social media exposure. Only through comprehensive online listening across all channels can an FI remain attentive to three risks: reputational, operational and compliance.

Comprehensive listening requires a cross-departmental, not a siloed approach. For most organisations it requires collaboration between groups that don’t usually find themselves collaborating. However, institutions that are successful with a multi-channel monitoring and threat-mitigation programme will protect their brand trust and reputational value. Through coordinated, centralised, multi-channel listening, organisations will be able to connect seemingly disparate activities into an integrated understanding of complex and persistent threats. The FIs that successfully implement a multi-channel practice will attain a significant competitive advantage, preserving and enhancing their customer trust and business value.

Cybercrime Spares no Victims

An FI’s risk level or likelihood of becoming victim to a cyber attack is not necessarily commensurate with its size, reputation, revenue or any other factor. For every JPMorgan Chase attack that exposes the personal information of 465,000 corporate and government clients, there’s an incident such the one in July 2013 that affected 18,400 Redwood Credit Union debit card holders who shopped at a regional grocery chain across northern California and northern Nevada.

No matter the size of an institution, the stakes are too high to ignore cyber threats. In essence, an organisation’s fate (through brand reputation) and the fates of its customers (through the money they have entrusted with them) depend on a cross-departmental team’s willingness to work together to acknowledge and address online vulnerabilities.

In most cases, the first step in understanding an FI’s vulnerability to online and social media threats is a comprehensive cyber risk assessment. Then, a champion for the centralised listening must be determined. In some cases this will be the operational security team, while in other cases, legal, marketing or the chief financial officer’s (CFO) office will drive the project. Yet no matter who leads the effort, all departments will benefit when a company has a deep understanding of its online risks, and when a company takes proactive steps to mitigate those risks.

In the 1930s, Willie Sutton robbed banks because that’s where the money was. It was a lot harder for Willie than it is for a bank robber now. Today, criminals don’t have to go to a bank to find the money, because all the banks are online, and all the banks customers are online, too.

It’s true that anyone who has access to the Internet has the potential to reach any customer of any bank. However, with appropriate multi-channel monitoring as described by the FFIEC, any bank, credit union or FI can safeguard its customers, its brand and its business.


Related reading